Overview - Yara rules

Details Type #Events CTI Value
Details Yara rule 1
rule CISA_10372500_02 : miner XMRIG {
	meta:
		Author = "CISA Code & Media Analysis"
		Incident = "10372500"
		Date = "2022-03-03"
		Last_Modified = "20220307_1600"
		Actor = "n/a"
		Category = "Miner"
		Family = "XMRIG"
		Description = "Detects XMRIG Miner samples"
		MD5_1 = "f0cf1d3d9ed23166ff6c1f3deece19b4"
		SHA256_1 = "0663d70411a20340f184ae3b47138b33ac398c800920e4d976ae609b60522b01"
	strings:
		$s0 = { 58 4D 52 69 67 20 36 2E }
		$s1 = { 63 6F 6E 66 69 67 5C 78 6D 72 69 67 2E 6A 73 }
		$s2 = { 78 6D 72 69 67 2D 63 75 64 61 2E 64 6C 6C }
		$s3 = { 6C 69 62 78 6D 72 69 67 2D }
		$s4 = { 63 75 64 61 2E 73 6F }
		$s5 = { 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F }
		$s6 = { 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 }
	condition:
		all of them
}
Details Yara rule 2
rule P0_Hunting_AWS_EnvVarNames_1 {
	meta:
		description = "Detecting presence of scripts searching for numerous environment variables containing sensitive AWS credential information. Explicitly excluding LinPEAS (and its variants) to remove noise since it is already well-detected."
		author = "daniel.bohannon@permiso.io (@danielhbohannon)"
		date = "2023-07-12"
		reference = "https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/"
		md5_01 = "3e2cddf76334529a14076c3659a68d92"
		md5_02 = "b9113ccc0856e5d44bab8d3374362a06"
		md5_03 = "d9ecceda32f6fa8a7720e1bf9425374f"
		md5_04 = "28165d28693ca807fb3d4568624c5ba9"
		md5_05 = "0855b8697c6ebc88591d15b954bcd15a"
		md5_06 = "f7df739f865448ac82da01b3b1a97041"
		md5_07 = "1a37f2ef14db460e5723f3c0b7a14d23"
		md5_08 = "99f0102d673423c920af1abc22f66d4e"
		md5_09 = "99f0102d673423c920af1abc22f66d4e"
		md5_10 = "5daace86b5e947e8b87d8a00a11bc3c5"
	strings:
		$shellHeader_01 = "#!/bin/sh"
		$shellHeader_02 = "#!/bin/bash"
		$envVarAWSPrefixSyntax_01 = " $AWS_ "
		$envVarAWSPrefixSyntax_02 = " ${AWS_"
		$envVarAWS_01 = "AWS_ACCESS_KEY_ID"
		$envVarAWS_02 = "AWS_SECRET_ACCESS_KEY"
		$envVarAWS_03 = "AWS_SESSION_TOKEN"
		$envVarAWS_04 = "AWS_SHARED_CREDENTIALS_FILE"
		$envVarAWS_05 = "AWS_CONFIG_FILE"
		$envVarAWS_06 = "AWS_DEFAULT_REGION"
		$envVarAWS_07 = "AWS_REGION"
		$envVarAWS_08 = "AWS_EC2_METADATA_DISABLED"
		$envVarEcho = "then echo "
		$linPEAS_01 = "#-------) Checks pre-everything (---------#"
		$linPEAS_02 = "--) FAST - Do not check 1min of procceses and su brute"
	condition:
		(any of ($shellHeader*)) and (1 of ($envVarAWSPrefixSyntax*)) and (4 of ($envVarAWS*)) and (#envVarEcho >= 4) and not (all of ($linPEAS*))
}
Details Yara rule 2
rule P0_Hunting_AWS_SedEnvVarExtraction_1 {
	meta:
		description = " Detecting presence of scripts using native sed (Stream Editor) utility extracting numerous environment variables containing sensitive AWS credential information "
		author = " daniel.bohannon@permiso.io (@danielhbohannon) "
		date = " 2023-07-12 "
		reference = " https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/ "
		md5_01 = " 3e2cddf76334529a14076c3659a68d92 "
		md5_02 = " b9113ccc0856e5d44bab8d3374362a06 "
		md5_03 = " d9ecceda32f6fa8a7720e1bf9425374f "
		md5_04 = " 28165d28693ca807fb3d4568624c5ba9 "
		md5_05 = " 0855b8697c6ebc88591d15b954bcd15a "
		md5_06 = " f7df739f865448ac82da01b3b1a97041 "
		md5_07 = " 1a37f2ef14db460e5723f3c0b7a14d23 "
		md5_08 = " 99f0102d673423c920af1abc22f66d4e "
		md5_09 = " 99f0102d673423c920af1abc22f66d4e "
		md5_10 = " 5daace86b5e947e8b87d8a00a11bc3c5 "
	strings:
		$grepPropAWS = " | grep 'AccessKeyId\\|SecretAccessKey\\|Token\\|Expiration' | "
		$awsCliConfigureCmd = " aws configure set aws_ "
		$sedPropAWS_01 = " sed 's# \"AccessKeyId\" : \"#\\n\\naws configure set aws_access_key_id #g' "
		$sedPropAWS_02 = " sed 's# \"SecretAccessKey\" : \"#aws configure set aws_secret_access_key #g' "
		$sedPropAWS_03 = " sed 's# \"Token\" : \"#aws configure set aws_session_token #g' "
		$sedPropAWS_04 = " sed 's# \"Expiration\" : \"#\\n\\nExpiration : #g' "
	condition:
		all of them
}
Details Yara rule 2
rule P0_Hunting_Azure_EnvVarNames_1 {
	meta:
		description = " Detecting presence of scripts searching for numerous environment variables containing sensitive Azure credential information "
		author = " daniel.bohannon@permiso.io (@danielhbohannon) "
		date = " 2023-07-12 "
		reference = " https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/ "
		md5_01 = " b9113ccc0856e5d44bab8d3374362a06 "
		md5_02 = " d9ecceda32f6fa8a7720e1bf9425374f "
		md5_03 = " 0855b8697c6ebc88591d15b954bcd15a "
		md5_04 = " f7df739f865448ac82da01b3b1a97041 "
		md5_05 = " 1a37f2ef14db460e5723f3c0b7a14d23 "
		md5_06 = " 99f0102d673423c920af1abc22f66d4e "
		md5_07 = " 99f0102d673423c920af1abc22f66d4e "
		md5_08 = " 5daace86b5e947e8b87d8a00a11bc3c5 "
	strings:
		$envVarAzurePrefixSyntax_01 = " $AZURE_ "
		$envVarAzurePrefixSyntax_02 = " ${AZURE_"
		$envVarAzure_01 = "AZURE_CREDENTIAL_FILE"
		$envVarAzure_02 = "AZURE_GUEST_AGENT_CONTAINER_ID"
		$envVarAzure_03 = "AZURE_CLIENT_ID"
		$envVarAzure_04 = "AZURE_CLIENT_SECRET"
		$envVarAzure_05 = "AZURE_TENANT_ID"
		$envVarAzure_06 = "AZURE_SUBSCRIPTION_ID"
		$envVarEcho = "then echo "
	condition:
		(1 of ($envVarAzurePrefixSyntax*)) and (3 of ($envVarAzure*)) and (#envVarEcho >= 3)
}
Details Yara rule 2
rule P0_Hunting_GCP_EnvVarNames_1 {
	meta:
		description = "Detecting presence of scripts searching for numerous environment variables containing sensitive GCP credential information"
		author = "daniel.bohannon@permiso.io (@danielhbohannon)"
		date = "2023-07-12"
		reference = "https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/"
		md5_01 = "b9113ccc0856e5d44bab8d3374362a06"
		md5_02 = "d9ecceda32f6fa8a7720e1bf9425374f"
		md5_03 = "0855b8697c6ebc88591d15b954bcd15a"
		md5_04 = "f7df739f865448ac82da01b3b1a97041"
		md5_05 = "1a37f2ef14db460e5723f3c0b7a14d23"
		md5_06 = "99f0102d673423c920af1abc22f66d4e"
		md5_07 = "99f0102d673423c920af1abc22f66d4e"
		md5_08 = "5daace86b5e947e8b87d8a00a11bc3c5"
	strings:
		$shellHeader_01 = "#!/bin/sh"
		$shellHeader_02 = "#!/bin/bash"
		$envVarGCPPrefixSyntax_01 = " $GOOGLE_ "
		$envVarGCPPrefixSyntax_02 = " ${GOOGLE_"
		$envVarGCP_01 = "GOOGLE_API_KEY"
		$envVarGCP_02 = "GOOGLE_DEFAULT_CLIENT_ID"
		$envVarGCP_03 = "GOOGLE_DEFAULT_CLIENT_SECRET"
		$envVarEcho = "then echo "
	condition:
		(any of ($shellHeader*)) and (1 of ($envVarGCPPrefixSyntax*)) and (2 of ($envVarGCP*)) and (#envVarEcho >= 2)
}
Details Yara rule 2
rule P0_Hunting_Common_TeamTNT_CredHarvesterOutputBanner_1 {
	meta:
		description = "Detecting presence of known credential harvester scripts (commonly used by TeamTNT) containing specific section banner output commands"
		author = "daniel.bohannon@permiso.io (@danielhbohannon)"
		date = "2023-07-12"
		reference = "https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/"
		md5_01 = "b9113ccc0856e5d44bab8d3374362a06"
		md5_02 = "d9ecceda32f6fa8a7720e1bf9425374f"
		md5_03 = "0855b8697c6ebc88591d15b954bcd15a"
		md5_04 = "f7df739f865448ac82da01b3b1a97041"
		md5_05 = "1a37f2ef14db460e5723f3c0b7a14d23"
		md5_06 = "99f0102d673423c920af1abc22f66d4e"
		md5_07 = "99f0102d673423c920af1abc22f66d4e"
		md5_08 = "5daace86b5e947e8b87d8a00a11bc3c5"
	strings:
		$sectionBanner_01 = "-------- AWS INFO ------------------------------------------"
		$sectionBanner_02 = "-------- EC2 USERDATA -------------------------------------------"
		$sectionBanner_03 = "-------- GOOGLE DATA --------------------------------------"
		$sectionBanner_04 = "-------- AZURE DATA --------------------------------------"
		$sectionBanner_05 = "-------- IAM USERDATA -------------------------------------------"
		$sectionBanner_06 = "-------- AWS ENV DATA --------------------------------------"
		$sectionBanner_07 = "-------- PROC VARS -----------------------------------"
		$sectionBanner_08 = "-------- DOCKER CREDS -----------------------------------"
		$sectionBanner_09 = "-------- CREDS FILES -----------------------------------"
	condition:
		(5 of them)
}
Details Yara rule 2
rule P0_Hunting_Common_TeamTNT_CredHarvesterTypo_1 {
	meta:
		description = "Detecting presence of known credential harvester scripts (commonly used by TeamTNT) containing common typo for 'CREFILE' variable name (assuming intended name is 'CREDFILE' since it is iterating file names in input array"
		author = "daniel.bohannon@permiso.io (@danielhbohannon)"
		date = "2023-07-12"
		reference = "https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/"
		md5_01 = "3e2cddf76334529a14076c3659a68d92"
		md5_02 = "b9113ccc0856e5d44bab8d3374362a06"
		md5_03 = "d9ecceda32f6fa8a7720e1bf9425374f"
		md5_04 = "28165d28693ca807fb3d4568624c5ba9"
		md5_05 = "0855b8697c6ebc88591d15b954bcd15a"
		md5_06 = "f7df739f865448ac82da01b3b1a97041"
		md5_07 = "1a37f2ef14db460e5723f3c0b7a14d23"
		md5_08 = "99f0102d673423c920af1abc22f66d4e"
		md5_09 = "99f0102d673423c920af1abc22f66d4e"
		md5_10 = "5daace86b5e947e8b87d8a00a11bc3c5"
	strings:
		$varNameTypo = "for CREFILE in ${"
		$findArgs = "find / -maxdepth "
		$xargs = " | xargs -I % sh -c 'echo :::%; cat %' >> $"
	condition:
		all of them
}
Details Yara rule 2
rule P0_Hunting_Common_TeamTNT_CurlArgs_1 {
	meta:
		description = " Detecting presence of known credential harvester scripts (commonly used by TeamTNT) containing common curl arguments including 'Datei' (German word for 'file' ) and specific 'Send=1' arguments found in German blog post https://administrator.de/tutorial/upload-von-dateien-per-batch-curl-und-php-auf-einen-webserver-ohne-ftp-98399.html which details using curl (with these specific arguments) to upload files to upload.php "
		author = " daniel.bohannon@permiso.io (@danielhbohannon) "
		date = " 2023-07-12 "
		reference = " https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/ "
		md5_01 = " b9113ccc0856e5d44bab8d3374362a06 "
		md5_02 = " d9ecceda32f6fa8a7720e1bf9425374f "
		md5_03 = " 0855b8697c6ebc88591d15b954bcd15a "
		md5_04 = " f7df739f865448ac82da01b3b1a97041 "
		md5_05 = " 1a37f2ef14db460e5723f3c0b7a14d23 "
		md5_06 = " 99f0102d673423c920af1abc22f66d4e "
		md5_07 = " 99f0102d673423c920af1abc22f66d4e "
		md5_08 = " 5daace86b5e947e8b87d8a00a11bc3c5 "
	strings:
		$curlFileArgGerman = " \"Datei=@\" "
		$curlArgSend = " -F \"Send=1\" "
		$curlArgUsername = " -F \"username= "
		$curlArgPassword = " -F \"password= "
	condition:
		all of them
}
Details Yara rule 1
rule LummaC_Stealer {
	meta:
		author = "Cyble"
		description = "Detects LummaC Stealer Files"
		date = "2023-08-10"
		os = "Windows"
		threat_name = "LummaC Stealer"
		scan_type = "Memory"
		severity = 100
		reference_sample = "a53dafb72659e7aa4f36a6626b01aad9cc44500d5d4c1ee7a96c957a4e556d02"
	strings:
		$a = "/c2sock" ascii wide
		$b = "TeslaBrowser" ascii wide
		$c = "Software.txt" ascii wide
		$d = "System.txt" ascii wide
		$e = "/c2conf" ascii wide
	condition:
		all of them
}
Details Yara rule 1
rule AmadeyBot {
	meta:
		author = "Cyble"
		description = "Detects Amadey Bot Files"
		date = "2023-08-10"
		os = "Windows"
		threat_name = "Amadey Bot"
		scan_type = "Memory"
		severity = 100
		reference_sample = "a58f0d4b2a0100a12eb8a5690522d79d510adafa9235d11e4b714dda8c87b341"
	strings:
		$a = "/index.php" ascii wide
		$b = "\\MsBuild.exe" ascii wide
		$c = "id=" ascii wide
		$d = "&av=" ascii wide
		$e = "&pc=" ascii wide
		$f = "&un=" ascii wide
	condition:
		all of them
}
Details Yara rule 1
rule Uptycs_QwixxRAT {
	meta:
		malware_name = "QwixxRAT"
		description = "QwixxRAT is a trojan designed to extract browser cookies, histories, credit card information and capture keylogger activities from targeted devices"
		author = "Uptycs Inc"
		version = "1"
	strings:
		$string_0 = "[CAPSLOCK: ON]" ascii wide
		$string_1 = "[ESC]" ascii wide
		$string_2 = "webcam.png" ascii wide
		$string_3 = "SELECT * FROM win32_operatingsystem" ascii wide
		$string_4 = "\\User Data\\Default\\Login Data" ascii wide
		$string_5 = "recentservers.xml" ascii wide
		$string_6 = "credit_cards.txt" ascii wide
		$string_7 = "Tasklist /fi" ascii wide
		$string_8 = "Select * from AntivirusProduct" ascii wide
		$string_9 = "\\keylogs.txt" ascii wide
		$string_10 = "AutoStealer" ascii wide
	condition:
		all of them
}
Details Yara rule 1
rule ELF_packed_STEELCORGI_backdoor_UNC1945 {
	meta:
		description = "Yara Rule for packed ELF backdoor of UNC1945"
		author = "Yoroi Malware Zlab"
		last_updated = "2020_12_21"
		tlp = "white"
		category = "informational"
	strings:
		$s1 = { 4? 88 47 3C C1 6C ?4 34 08 8A 54 ?? ?? 4? 88 57 3D C1 6C }
		$s2 = { 0F B6 5? ?? 0F B6 4? ?? 4? C1 E2 18 4? C1 E0 10 4? }
		$s3 = { 8A 03 84 C0 74 ?? 3C 3D 75 ?? 3C 3D 75 ?? C6 03 00 4? 8B 7D 00 }
		$s4 = { 01 C6 89 44 ?? ?? 8B 44 ?? ?? 31 F2 89 74 ?? ?? C1 }
		$s5 = { 4? 89 D8 4? 31 F2 4? C1 E0 13 4? 01 D7 4? }
	condition:
		uint32(0) == 0x464c457f and 3 of them
}
Details Yara rule 1
rule ELF_unpacked_STEELCORGI_backdoor_UNC1945 {
	meta:
		description = "Yara Rule for unpacked ELF backdoor of UNC1945"
		author = "Yoroi Malware Zlab"
		last_updated = "2020_12_21"
		tlp = "white"
		category = "informational"
	strings:
		$s1 = "MCARC"
		$s2 = "833fc0088ea41bc3331db60ae2.debug"
		$s3 = "PORA1022"
		$s4 = "server"
		$s5 = "test"
		$s6 = "no ejecutar git-update-server-info"
		$s7 = "dlopen"
		$s8 = "dlsym"
		$s9 = "5d5c6da19e62263f67ca63f8bedeb6.debug"
		$s10 = { 72 69 6E 74 20 22 5B 56 5D 20 41 74 74 65 6D 70 74 69 6E 67 20 74 6F 20 67 65 74 20 4F 53 20 69 6E 66 6F 20 77 69 74 68 20 63 6F 6D 6D 61 6E 64 3A 20 24 63 6F 6D 6D 61 6E 64 5C 6E 22 20 69 66 20 24 76 65 72 62 6F 73 65 3B }
	condition:
		all of them and #s4 > 50 and #s5 > 20
}
Details Yara rule 1
rule enc_PK_header {
	meta:
		author = "NCCIC trusted 3rd party"
		incident = "10135536"
		date = "2018-04-12"
		category = "hidden_cobra"
		family = "TYPEFRAME"
		hash0 = "3229a6cea658b1b3ca5ca9ad7b40d8d4"
	strings:
		$s0 = { 5F A8 80 C5 A0 87 C7 F0 9E E6 }
		$s1 = { 95 F1 6E 9C 3F C1 2C 88 A0 5A }
		$s2 = { AE 1D AF 74 C0 F5 E1 02 50 10 }
	condition:
		(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them
}
Details Yara rule 1
rule import_obfuscation_2 {
	meta:
		author = "NCCIC trusted 3rd party"
		incident = "10135536"
		date = "2018-04-12"
		category = "hidden_cobra"
		family = "TYPEFRAME"
		hash0 = "bfb41bc0c3856aa0a81a5256b7b8da51"
	strings:
		$s0 = { A6 D6 02 EB 4E B2 41 EB C3 EF 1F }
		$s1 = { B6 DF 01 FD 48 B5 }
		$s2 = { B6 D5 0E F3 4E B5 }
		$s3 = { B7 DF 0E EE }
		$s4 = { B6 DF 03 FC }
		$s5 = { A7 D3 03 FC }
	condition:
		(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
}
Details Yara rule 1
rule HC_RAT {
	meta:
		author = "NCCIC Code & Media Analysis"
		incident = "10135536"
		date = "2018-04-12"
		category = "hidden_cobra"
		family = "TYPEFRAME"
		hash0 = "1C53E7269FE9D84C6DF0A25BA59B822C"
	strings:
		$s0 = { 8B 4C 24 04 33 C0 81 E1 FF FF 00 00 81 C1 00 80 FF FF 83 F9 43 0F 87 70 01 00 00 }
		$s1 = { 88 04 30 40 3D 00 01 00 00 }
		$s2 = { 48 89 4C 24 08 57 48 83 EC 20 0F B7 C1 33 FF 05 00 80 FF FF 83 F8 43 0F 87 60 02 00 00 }
		$s3 = { 88 01 FF C0 48 FF C1 3D 00 01 00 00 }
	condition:
		($s0 and $s1) or ($s2 and $s3)
}
Details Yara rule 1
rule import_deob {
	meta:
		author = "NCCIC trusted 3rd party"
		incident = "10135536"
		date = "2018-04-12"
		category = "hidden_cobra"
		family = "TYPEFRAME"
		md5 = "ae769e62fef4a1709c12c9046301aa5d"
		md5 = "e48fe20eb1f5a5887f2ac631fed9ed63"
	strings:
		$ = { 8A 01 3C 62 7C 0A 3C 79 7F 06 B2 DB 2A D0 88 11 8A 41 01 41 84 C0 75 E8 }
		$ = { 8A 08 80 F9 62 7C 0B 80 F9 79 7F 06 82 DB 2A D1 88 10 8A 48 01 40 84 C9 75 E6 }
	condition:
		(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them
}
Details Yara rule 1
rule apt_nobelium_hta_reg_dropper {
	meta:
		id = "9f6a2154-c33a-4c38-9667-7479bf49c310"
		description = "Matches HTA dropper file used by NOBELIUM and ISO files containing it"
		hash = "054940ba8908b9e11f57ee081d1140cb"
		hash = "b7ca8c46dc1bfc1d9cb9ce04a4928153"
		version = "1.0"
		creation_date = "2021-12-07"
		modification_date = "2021-12-07"
		classification = "TLP:WHITE"
		source = "SEKOIA"
	strings:
		$w = "RegWrite(" nocase
		$x = { 2B 3D 20 64 6F 63 75 6D 65 6E 74 2E 67 65 74 45 6C 65 6D 65 6E 74 42 79 49 64 28 22 [0-4] 22 29 2E 69 6E 6E 65 72 48 54 4D 4C }
		$y = "<body onload=" nocase
		$z = "hidden" nocase
	condition:
		$y and (3 < #z) and (3 < #x) and (1 < #w)
}
Details Yara rule 1
rule apt_nobelium_hta_in_iso {
	meta:
		id = "874ab41b-5c60-4303-8776-e1c10313a401"
		description = "Matches ISO file embedding HTA"
		hash = "d4fdf63d88da2d59569bb621b18bf5e4"
		hash = "cc08a6df151b8879a4969b2e99086b48"
		version = "1.0"
		creation_date = "2021-12-02"
		modification_date = "2021-12-02"
		classification = "TLP:WHITE"
		source = "SEKOIA"
	strings:
		$ = "ImgBurn v2"
		$ = "<hta:application"
	condition:
		all of them and filesize > 1MB and filesize < 3MB
}
Details Yara rule 1
rule apt_nobelium_html_smuggling_iso {
	meta:
		id = "9bd5b626-8ea3-4607-a858-58deff18396c"
		version = "1.0"
		description = "Detect HTML smuggling with ISO"
		hash = "b87073c34a910f20a83c04c8efbd4f43"
		hash = "3d18bc4bfe1ec7b6b73a3fb39d490b64"
		source = "SEKOIA"
		creation_date = "2022-01-02"
		modification_date = "2022-01-02"
		classification = "TLP:WHITE"
	strings:
		$ = "new Blob"
		$ = ".click();"
		$ = { 28 [1-20] 2C 22 [1-20] 2E 69 73 6F 22 2C 22 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 2D 63 64 2D 69 6D 61 67 65 22 29 }
	condition:
		filesize > 1MB and filesize < 2MB and all of them
}
Details Yara rule 1
rule apt_nobelium_b64_to_Uint8Array {
	meta:
		id = "66c9b00b-f021-4115-b9ec-d1e1f491ce72"
		description = "Detect Base64 decode to Uint8Array used in NOBELIUM HTML files"
		hash = "3d18bc4bfe1ec7b6b73a3fb39d490b64"
		version = "1.0"
		creation_date = "2021-12-02"
		modification_date = "2021-12-02"
		classification = "TLP:WHITE"
		source = "SEKOIA"
	strings:
		$a1 = "atob("
		$l0 = { 20 3C 20 [2-10] 2E 6C 65 6E 67 74 68 3B 20 69 2B 2B 29 7B }
		$l1 = { 5B 69 5D 20 3D 20 [2-10] 2E 63 68 61 72 43 6F 64 65 41 74 28 69 29 3B }
		$a2 = "new Uint8Array"
	condition:
		$l0 in (@a1 .. @a2) and $l1 in (@a1 .. @a2) and filesize > 1MB and filesize < 3MB
}
Details Yara rule 1
import "pe"

rule apt_nobelium_cs_loader_obfuscation {
	meta:
		id = "5f21b031-3dc1-4dad-b775-6099bfcb0472"
		version = "1.0"
		description = "Detect obfuscated CobaltStrike loaders used by NOBELIUM"
		hash = "41dd8cee47c036e7e9e92c395c5d1feb"
		hash = "4365057ef0c5a9518d95d53eab5995a8"
		source = "SEKOIA"
		creation_date = "2022-01-04"
		modification_date = "2022-01-04"
		classification = "TLP:WHITE"
	strings:
		$j1 = { DD 05 ?? ?? ?? ?? DD 9D }
		$j2 = { C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 }
		$c1 = { 81 7D ?? FF 00 00 00 0F 8E ?? ?? FF FF }
	condition:
		pe.characteristics & pe.DLL and pe.number_of_exports > 20 and filesize > 300KB and filesize < 400KB and #j1 > 50 and #j2 > 50 and #c1 == 2
}
Details Yara rule 1
rule rovnix_downloader {
	meta:
		author = "McAfee"
		description = "Rovnix downloader with sinkhole checks"
	strings:
		$sink1 = "control"
		$sink2 = "sink"
		$sink3 = "hole"
		$sink4 = "dynadot"
		$sink5 = "block"
		$sink6 = "malw"
		$sink7 = "anti"
		$sink8 = "googl"
		$sink9 = "hack"
		$sink10 = "trojan"
		$sink11 = "abuse"
		$sink12 = "virus"
		$sink13 = "black"
		$sink14 = "spam"
		$boot = "BOOTKIT_DLL.dll"
		$mz = { 4D 5A }
	condition:
		$mz in (0 .. 2) and all of ($sink*) and $boot
}
Details Yara rule 1
rule Nosedive_custom_dropper {
	meta:
		author = "Lumen Technologies - Black Lotus Labs"
	strings:
		$r1 = "#!/bin/sh" ascii fullword
		$s1 = "/tmp"
		$s2 = "/var/tmp"
		$s3 = "wget http://"
		$s4 = "rm -rf $0" ascii fullword
		$s5 = "kill -9 `pidof"
		$s6 = "sleep 1" ascii fullword
		$s7 = "while true" ascii fullword
	condition:
		filesize < 3KB and $r1 at 0 and 6 of ($s*)
}
Details Yara rule 1
rule hermetic_wiper {
	meta:
		description = "Yara rule for the detection of DiskKill/HermeticWiper sample"
		author = "Yoroi Malware ZLab"
		last_updated = "2022-02-24"
		tlp = "WHITE"
		category = "informational"
	strings:
		$a = { 45 8C 66 0F D6 45 9C FF D3 50 FF D7 8B F8 85 FF 0F 84 F7 00 00 00 6A 00 8D 85 78 FF FF FF 50 6A 60 57 6A 00 6A 00 68 64 00 09 00 FF 75 A4 FF 15 64 50 40 00 57 6A 00 85 C0 75 10 FF D3 8B 3D 70 }
	condition:
		$a and uint16(0) == 0x5A4D
}